<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content=
    "application/xhtml+xml; charset=iso-8859-1" />
    <title>
      stunnel-5.56
    </title>
    <link rel="stylesheet" type="text/css" href="../stylesheets/lfs.css" />
    <meta name="generator" content="DocBook XSL Stylesheets V1.78.1" />
    <link rel="stylesheet" href="../stylesheets/lfs-print.css" type=
    "text/css" media="print" />
  </head>
  <body class="blfs" id="blfs-2020-04-02">
    <div class="navheader">
      <h4>
        Beyond Linux<sup>�</sup> From Scratch <span class="phrase">(System
        V</span> Edition) - Version 2020-04-02
      </h4>
      <h3>
        Chapter&nbsp;4.&nbsp;Security
      </h3>
      <ul>
        <li class="prev">
          <a accesskey="p" href="ssh-askpass.html" title=
          "ssh-askpass-8.2p1">Prev</a>
          <p>
            ssh-askpass-8.2p1
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="sudo.html" title="Sudo-1.8.31p1">Next</a>
          <p>
            Sudo-1.8.31p1
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 2020-04-02">
          Home</a>
        </li>
      </ul>
    </div>
    <div class="sect1" lang="en" xml:lang="en">
      <h1 class="sect1">
        <a id="stunnel" name="stunnel"></a>stunnel-5.56
      </h1>
      <div class="package" lang="en" xml:lang="en">
        <h2 class="sect2">
          Introduction to stunnel
        </h2>
        <p>
          The <span class="application">stunnel</span> package contains a
          program that allows you to encrypt arbitrary TCP connections inside
          SSL (Secure Sockets Layer) so you can easily communicate with
          clients over secure channels. <span class=
          "application">stunnel</span> can be used to add SSL functionality
          to commonly used <span class="application">Inetd</span> daemons
          such as POP-2, POP-3, and IMAP servers, along with standalone
          daemons such as NNTP, SMTP, and HTTP. <span class=
          "application">stunnel</span> can also be used to tunnel PPP over
          network sockets without changes to the server package source code.
        </p>
        <p>
          This package is known to build and work properly using an LFS-9.1
          platform.
        </p>
        <h3>
          Package Information
        </h3>
        <div class="itemizedlist">
          <ul class="compact">
            <li class="listitem">
              <p>
                Download (FTP): <a class="ulink" href=
                "ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-5.56.tar.gz">
                ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-5.56.tar.gz</a>
              </p>
            </li>
            <li class="listitem">
              <p>
                Download MD5 sum: 01b0ca9e071f582ff803a85d5ed72166
              </p>
            </li>
            <li class="listitem">
              <p>
                Download size: 960 KB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated disk space required: 7.5 MB
              </p>
            </li>
            <li class="listitem">
              <p>
                Estimated build time: 0.1 SBU
              </p>
            </li>
          </ul>
        </div>
        <h3>
          stunnel Dependencies
        </h3>
        <h4>
          Optional
        </h4>
        <p class="optional">
          <a class="ulink" href="http://netcat.sourceforge.net/">netcat</a>
          (required for tests), <a class="ulink" href=
          "ftp://ftp.porcupine.org/pub/security/">tcpwrappers</a>, and
          <a class="ulink" href="https://dist.torproject.org/">TOR</a>
        </p>
        <p class="usernotes">
          User Notes: <a class="ulink" href=
          "http://wiki.linuxfromscratch.org/blfs/wiki/stunnel">http://wiki.linuxfromscratch.org/blfs/wiki/stunnel</a>
        </p>
      </div>
      <div class="installation" lang="en" xml:lang="en">
        <h2 class="sect2">
          Installation of stunnel
        </h2>
        <p>
          The <span class="command"><strong>stunnel</strong></span> daemon
          will be run in a <span class=
          "command"><strong>chroot</strong></span> jail by an unprivileged
          user. Create the new user and group using the following commands as
          the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">groupadd -g 51 stunnel &amp;&amp;
useradd -c "stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel</kbd>
</pre>
        <div class="admon note">
          <img alt="[Note]" src="../images/note.png" />
          <h3>
            Note
          </h3>
          <p>
            A signed SSL Certificate and a Private Key is necessary to run
            the <span class="command"><strong>stunnel</strong></span> daemon.
            After the package is installed, there are instructions to
            generate them. However, if you own or have already created a
            signed SSL Certificate you wish to use, copy it to <code class=
            "filename">/etc/stunnel/stunnel.pem</code> before starting the
            build (ensure only <code class="systemitem">root</code> has read
            and write access). The <code class="filename">.pem</code> file
            must be formatted as shown below:
          </p>
          <pre class="screen">
<code class="literal">-----BEGIN PRIVATE KEY-----
<em class=
"replaceable"><code>&lt;many encrypted lines of private key&gt;</code></em>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<em class=
"replaceable"><code>&lt;many encrypted lines of certificate&gt;</code></em>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<em class="replaceable"><code>&lt;encrypted lines of dh parms&gt;</code></em>
-----END DH PARAMETERS-----</code>
</pre>
        </div>
        <p>
          Install <span class="application">stunnel</span> by running the
          following commands:
        </p>
        <div class="admon note">
          <img alt="[Note]" src="../images/note.png" />
          <h3>
            Note
          </h3>
          <p>
            For some systems with <span class="application">binutils</span>
            versions prior to 2.25, <span class=
            "command"><strong>configure</strong></span> may fail. If
            necessary, fix it either with:
          </p>
          <pre class="userinput">
<kbd class="command">sed -i '/LDFLAGS.*static_flag/ s/^/#/' configure</kbd>
</pre>
          <p>
            or, if <a class="xref" href="../general/llvm.html" title=
            "LLVM-10.0.0">LLVM-10.0.0</a> with Clang is installed, you can
            replace <span class="command"><strong>./configure
            ...</strong></span> with <span class="command"><strong>CC=clang
            ./configure ...</strong></span> in the first command below.
          </p>
        </div>
        <pre class="userinput">
<kbd class="command">./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --localstatedir=/var \
            --disable-systemd    &amp;&amp;
make</kbd>
</pre>
        <p>
          If you have installed the optional netcat application, the
          regression tests can be run with <span class="command"><strong>make
          check</strong></span>.
        </p>
        <p>
          Now, as the <code class="systemitem">root</code> user:
        </p>
        <pre class="root">
<kbd class="command">make docdir=/usr/share/doc/stunnel-5.56 install</kbd>
</pre>
        <p>
          If you do not already have a signed SSL Certificate and Private
          Key, create the <code class="filename">stunnel.pem</code> file in
          the <code class="filename">/etc/stunnel</code> directory using the
          command below. You will be prompted to enter the necessary
          information. Ensure you reply to the
        </p>
        <pre class="screen">
<code class="prompt">Common Name (FQDN of your server) [localhost]:</code>
</pre>
        <p>
          prompt with the name or IP address you will be using to access the
          service(s).
        </p>
        <p>
          To generate a certificate, as the <code class=
          "systemitem">root</code> user, issue:
        </p>
        <pre class="root">
<kbd class="command">make cert</kbd>
</pre>
      </div>
      <div class="commands" lang="en" xml:lang="en">
        <h2 class="sect2">
          Command Explanations
        </h2>
        <p>
          <em class="parameter"><code>--disable-systemd</code></em>: This
          switch disables systemd socket activation support which is not
          available in BLFS.
        </p>
        <p>
          <span class="command"><strong>make docdir=...
          install</strong></span>: This command installs the package and
          changes the documentation installation directory to standard naming
          conventions.
        </p>
      </div>
      <div class="configuration" lang="en" xml:lang="en">
        <h2 class="sect2">
          Configuring stunnel
        </h2>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="stunnel-config" name="stunnel-config"></a>
          </h3>
          <h4 class="title">
            <a id="stunnel-config" name="stunnel-config"></a>Config Files
          </h4>
          <p>
            <code class="filename">/etc/stunnel/stunnel.conf</code>
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3"></h3>
          <h4 class="title">
            <a id="idm140006464907648" name=
            "idm140006464907648"></a>Configuration Information
          </h4>
          <p>
            As the <code class="systemitem">root</code> user, create the
            directory used for the <code class="filename">.pid</code> file
            created when the <span class="application">stunnel</span> daemon
            starts:
          </p>
          <pre class="root">
<kbd class=
"command">install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &amp;&amp;
chown stunnel:stunnel /var/lib/stunnel</kbd>
</pre>
          <p>
            Next, create a basic <code class=
            "filename">/etc/stunnel/stunnel.conf</code> configuration file
            using the following commands as the <code class=
            "systemitem">root</code> user:
          </p>
          <pre class="root">
<kbd class="command">cat &gt;/etc/stunnel/stunnel.conf &lt;&lt; "EOF" 
<code class="literal">; File: /etc/stunnel/stunnel.conf

; Note: The pid and output locations are relative to the chroot location.

pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert   = /etc/stunnel/stunnel.pem

;debug = 7
;output = stunnel.log

;[https]
;accept  = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0</code>

EOF</kbd>
</pre>
          <p>
            Finally, add the service(s) you wish to encrypt to the
            configuration file. The format is as follows:
          </p>
          <pre class="screen">
<code class="literal">[<em class=
"replaceable"><code>&lt;service&gt;</code></em>]
accept  = <em class=
"replaceable"><code>&lt;hostname:portnumber&gt;</code></em>
connect = <em class=
"replaceable"><code>&lt;hostname:portnumber&gt;</code></em></code>
</pre>
          <p>
            If you use <span class="application">stunnel</span> to encrypt a
            daemon started from <span class=
            "command"><strong>[x]inetd</strong></span>, you may need to
            disable that daemon in the <code class=
            "filename">/etc/[x]inetd.conf</code> file and enable a
            corresponding <em class=
            "replaceable"><code>&lt;service&gt;</code></em>_stunnel service.
            You may have to add an appropriate entry in <code class=
            "filename">/etc/services</code> as well.
          </p>
          <p>
            For a full explanation of the commands and syntax used in the
            configuration file, issue <span class="command"><strong>man
            stunnel</strong></span>.
          </p>
        </div>
        <div class="sect3" lang="en" xml:lang="en">
          <h3 class="sect3">
            <a id="stunnel-init" name="stunnel-init"></a>
          </h3>
          <h4 class="title">
            <a id="stunnel-init" name="stunnel-init"></a><span class=
            "phrase">Boot Script</span>
          </h4>
          <p>
            To automatically start the <span class=
            "command"><strong>stunnel</strong></span> daemon when the system
            is booted, install the <code class=
            "filename">/etc/rc.d/init.d/stunnel</code> bootscript from the
            <a class="xref" href="../introduction/bootscripts.html" title=
            "BLFS Boot Scripts">blfs-bootscripts-20191204</a> package.
          </p>
          <pre class="root">
<kbd class="command">make install-stunnel</kbd>
</pre>
        </div>
      </div>
      <div class="content" lang="en" xml:lang="en">
        <h2 class="sect2">
          Contents
        </h2>
        <div class="segmentedlist">
          <div class="seglistitem">
            <div class="seg">
              <strong class="segtitle">Installed Programs:</strong>
              <span class="segbody">stunnel and stunnel3</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Library:</strong>
              <span class="segbody">libstunnel.so</span>
            </div>
            <div class="seg">
              <strong class="segtitle">Installed Directories:</strong>
              <span class="segbody">/{etc,usr/lib,var/lib}/stunnel and
              /usr/share/doc/stunnel-5.56</span>
            </div>
          </div>
        </div>
        <div class="variablelist">
          <h3>
            Short Descriptions
          </h3>
          <table border="0" class="variablelist">
            <colgroup>
              <col align="left" valign="top" />
              <col />
            </colgroup>
            <tbody>
              <tr>
                <td>
                  <p>
                    <a id="stunnel-prog" name="stunnel-prog"></a><span class=
                    "term"><span class=
                    "command"><strong>stunnel</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a program designed to work as an SSL encryption
                    wrapper between remote clients and local (<span class=
                    "command"><strong>{x}inetd</strong></span>-startable) or
                    remote servers.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="stunnel3" name="stunnel3"></a><span class=
                    "term"><span class=
                    "command"><strong>stunnel3</strong></span></span>
                  </p>
                </td>
                <td>
                  <p>
                    is a <span class="application">Perl</span> wrapper script
                    to use <span class=
                    "command"><strong>stunnel</strong></span> 3.x syntax with
                    <span class="command"><strong>stunnel</strong></span>
                    4.05 or later.
                  </p>
                </td>
              </tr>
              <tr>
                <td>
                  <p>
                    <a id="libstunnel" name="libstunnel"></a><span class=
                    "term"><code class="filename">libstunnel.so</code></span>
                  </p>
                </td>
                <td>
                  <p>
                    contains the API functions required by <span class=
                    "application">stunnel</span>.
                  </p>
                </td>
              </tr>
            </tbody>
          </table>
        </div>
      </div>
      <p class="updated">
        Last updated on 2020-03-24 14:19:44 -0500
      </p>
    </div>
    <div class="navfooter">
      <ul>
        <li class="prev">
          <a accesskey="p" href="ssh-askpass.html" title=
          "ssh-askpass-8.2p1">Prev</a>
          <p>
            ssh-askpass-8.2p1
          </p>
        </li>
        <li class="next">
          <a accesskey="n" href="sudo.html" title="Sudo-1.8.31p1">Next</a>
          <p>
            Sudo-1.8.31p1
          </p>
        </li>
        <li class="up">
          <a accesskey="u" href="security.html" title=
          "Chapter&nbsp;4.&nbsp;Security">Up</a>
        </li>
        <li class="home">
          <a accesskey="h" href="../index.html" title=
          "Beyond Linux� From Scratch     (System V Edition) - Version 2020-04-02">
          Home</a>
        </li>
      </ul>
    </div>
  </body>
</html>
